The CMO of one the world’s largest cybersecurity companies has candidly admitted she wasn’t prepared for a security mistake that could have been avoided entirely.
Allison Cerra, senior vice president and chief marketing officer at McAfee, has shared what she described as the worst day of her career, Easter Sunday 2017, when one of the cybersecurity company’s social media pages was hijacked.
“On any given day, I’m actually responsible for protecting my company’s brand. Not just protecting it, creating it, nurturing and amplifying it,” the CMO told delegates at the company’s MPower conference in Las Vegas today.
Without naming the social media network Cierra explained that after being alerted to the incident by a colleague, “I went to our company’s profile page on that network and I was horrified.”
“I was confronted with a tapestry of racist, sexist, and homophobic slurs. Our company description was replaced with the most repugnant and derisive insults directed at nearly every walk of life. It was abundantly clear that our page had been hijacked by a hacker.”
The timing was especially embarrassing because just 12 days earlier the company was spun out from Intel to become one of the largest pureplay cybersecurity businesses in the world.
“It was downright humiliating.”
Cerra said the McAfee CISO was engaged and confirmed the McAfee systems were secure, and it was only the social page which had been compromised via a third party.
“McAfee was not hacked. Our systems were never compromised and our data was never at risk.”
“As CMO, my team was and is responsible for safeguarding the company’s presence across all third party media channels. We had failed to do so.”
Cerra shared the mistakes the marketing team made which led to the incident and the ones which caused more pain in the immediate aftermath.
“The hack occurred through stolen credentials of a former agency employee who was an administrator on our account. When she left the agency, we should have disabled her privileges.”
Her privileges were stolen when she reused a password across multiple accounts, including the one which was given to her for administrative access to McAfee’s social media page.
The company also made a mistake in its initial response, Cerra said. They began deleting the rogue posts before they had secured the account, so the hacker was able to lock the McAfee team out of their own account and they had to negotiate with the social media platform to regain their administrative access.
The final mistake was a lack of formalised escalation process with the social media platform provider.
Starting the conversation
Cerra is now sharing this story to help organisations improve their cybersecurity posture and lift the level of cyber literacy across all aspects of the org chart.
“It is awkward to talk about a hack of any kind of publicly, particularly when it happens to you even if it’s through a third party. But I would submit we can’t have an honest conversation about cybersecurity, if we don’t start a conversation.”
“And the unfortunate reality of cyber is that attackers never relent which makes some of us unfortunate victims.”
In the aftermath of the attack, Cierra wrote a book, The Cybersecurity Playbook: How Every Leader and Employee Can Contribute to a Culture of Security.
Written by a marketer, the cybersecurity book focuses on people, who are often “unwitting participants” that enable bad actors to cause harm.
Each chapter is dedicated to a different functional leader or employee group for marketers, CFOs, HR and product developers to the board.
The goal is to highlight the shared responsibility and actions each group can take to mitigate cyber risks.
Tess Bennett travelled to MPower in Las Vegas as a guest of McAfee.